Synchronizing DB/Config between two standalone ACS, v5.4
Hello.
I'm in process of migrating a clients' ACS from 4.2 to 5.4. With 4.2, they have it set up so that two standalone ACS servers (one in US, one in UK) will replicate database and configuration information. They are not configured as a primary/secondary setup.
For instance, any devices in the Data Center in UK will reference the UK ACS server first, US second. In the US, it is the opposite. Any configuration changes are generally made on the US side which then replicates to the UK side.
Is this situation possible in 5.4? I want to avoid users in the UK having to authenticate to the US server and vice-versa unless their local ACS is down.
Hopefully that makes sense. If it doesn't, let me know.
I'm looking for a method to replicate the content of a database from one standalone ACS to another. I am not looking for a failover solution.
The difference is that I want UK people to authenticate to the UK server first, and I want US people to authenticate to the US server first.
Does that make sense, or am I just not understanding something?
Similar Messages
-
Two standalone ACS for TACacs authentication
Dear All,
I am having a network consists of some 30 routers and I have 2 ACS 5.3 appliances.
I am planing to configure the acs (a,b) boxes in the standalone mode .
and i want to configure both the acs as the TACACS server in all my routers
with ACS A as the primary in some routers and ACS B as the primary in some routers.
and there is no configuration sync between the ACS boxes.
Does this setup will have any issue in authentication in case if any of the acs fails ....
thanks in advance ...
SelvaThere will be no issue, unless the configuration is not same. My personal opinion distributed deployment is the best method if you are planning to keep more than one ACS with in a domain.
-
Cross switch etherchannel config between two 6500 and 3750
Dear All,
I would like to design the network and got some problem, my network have one 3750 and two 6500, I would like to setup the etherchannel from 3750 (total two uplink port together), one link to the first 6500 and the other link to second 6500, one trunk between 6500 for redundance.
I tried to use PAgP (auto/desirable, on/on), but the channel misconfig error occurred, the etherchannel keep in suspected or standalone state.
Anybody can suggest/recommend some method for this case.
ThanksUnfortunately, you cannot create an etherchannel from one device to two different devices. for example, from 3750 you have gig 1/0/1 and gig 1/0/2. gig 1/0/1 of 3750 connects to port 1/1 of switch A and gig 1/0/2 of that same 3750 connects to port 1/2 of switch B. You can NOT create an etherchannel on 3750 to combine gig 1/0/1 and gig 1/0/2 to create a bigger pipe. That is not how etherchannel is designed to do.
However, if you have gig 1/0/1 and gig 1/0/2 on 3750 connecting to port 1/1 and 1/2 of switch A, you can create a channel on bith devices to create a bigger pipe (4 GBPS @ full duplex) and let's say that on that same 3750, you have an additional gig 1/0/3 and gig 1/0/4 that connects to ports 1/1 and 1/2 of switch B, you can create another separate channel that combines gig 1/0/3 and gig 1/0/4 and switch B's port 1/1 and 1/2, this scenarion is totally acceptable.
I hope that helps clear up channeling.
In your described scenario, channeling is not what you are asking, it's STP and you really do not need to do anything as STP is enabled by default, maybe you just need to make sure that the root is where you wnat it to be and that is configureable. With your looped physical topology, STP will prevent loop from forming and will give you the redundancy you seek as when one link fails, the ones blocked by STP would go forwarding once STP detects that it should forward that port.
Please rate helpful posts. -
Trunk config between two 6500 cat switches
Hi All,
What is the recommended trunk configuration between 2 cisco 6500 switches including hsrp scenario.
ThanksHi Samir,
In almost all scenarios, its recommended to have 'dot1q' encapsulation and a static trunk config 'switchport mode trunk'. Matching the native VLAN on both sides is required and will be VLAN1 by default.
When configuring trunks, you should be mindful of VTP, trunk and STP states. Reviewing the following for mismatches between your Cat6K will help:
- show vtp status
- show interfaces trunk
- show spanning-tree
In terms of HSRP, it is also recommended to run HSRP active in the same location as STP Root to avoid any asynchronous routing problems.
/ijay -
How to setup the sync between two new ACS server
Hey
I setup one acs v5.3 in one server in NYC and another acs v5.3 in SJC,
I want to make the acs.nyc as primary and acs.sjc as the secondary, how do i setup it up ?
thanks,
Yangmake sure that each box has a unique license
On the box that will be the secondary do the following
Go to System Administration > Operations > Local Operations > Deployment Operations
Enter IP address of Primary Instance and admin username / password and then press "Register to Primary"
Regisration process takes a little time since also involves copying the database from the primary and then restarting the secondary with the new database. You can monitor the progress of this on the primary at
System Administration > Operations > Distributed System Management -
How can I pass a variable(s) between two swfs?
Hello all,
I was wondering if it is possible to pass variables between
two standalone swfs that are not being hosted on a webserver.
I am creating a flash projector to go on a CD Rom and want to
load another swf into the _root level and in the process, want to
pass a variable or two to the "new" swf that is being loaded. Any
help or insights that you can offer would be greatly appreciated!
Thanks for your help.
Timif by _root level you mean you're loading something into
_level0 you can't won't be able to use the localconnection. the
sharedobject is your only option. -
Problem with config sync between two CSM-S modules
Hi everybody,
I have a problem with config sync between two CSM-S modules.
I am using CSM-S software version 2.1(8).
The acitve module is used in a 6509 with WS-SUP720-BASE supervisor running software version 12.2(18)SXF12a.
The standby module is used in a 6509-V with VS-S720-10G supervisor (no VSS setup) running software version 12.2(33)SXI3.
Failover seems to work fine:
switch-active#sh modu csm 2 ft
FT group 1, vlan 398
This box is active
Configuration is out-of-sync
priority 150, heartbeat 3, failover 40, preemption is on
switch-standby# sh modu csm 2 ft
FT group 1, vlan 398
This box is in standby state
Configuration is out-of-sync
priority 80, heartbeat 3, failover 40, preemption is on
The command (on active side) "hw-module contentSwitchingModule 2 standby config-sync" leads to following result:
switch-active:
2010-04-14T16:21:45+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56042: Apr 14 16:21:44.223: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Bulk sync started
2010-04-14T16:21:45+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56043: Apr 14 16:21:44.251: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configurations to Standby CSM, this may take several minutes!
2010-04-14T16:21:46+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56044: Apr 14 16:21:45.995: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:21:51+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56045: Apr 14 16:21:50.831: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:21:57+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56046: Apr 14 16:21:56.151: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Active: Sending configuration to Standby CSM
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56047: Apr 14 16:22:58.791: %CSM_SLB-3-REDUNDANCY: Module 2 FT error: Active: Manual bulk sync timed out
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56048: Apr 14 16:22:58.803: %CSM_SLB-3-REDUNDANCY: Module 2 FT error:
2010-04-14T16:22:59+02:00 srz16-1b.net.dsh.at/srz16-1b.net.dsh.at 56049: FT CONFIG SYNC: Failed config sync entity send
switch-standby:
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2475: Apr 14 16:21:44.232: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Bulk sync started
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2476:
2010-04-14T16:21:45+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2477: Apr 14 16:21:44.240: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: STANDBY:Configuration is being received, This may take several minutes!
2010-04-14T16:21:49+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2478: Apr 14 16:21:48.824: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Receiving configuration from Active CSM
2010-04-14T16:21:54+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2479: Apr 14 16:21:53.964: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Receiving configuration from Active CSM
2010-04-14T16:21:59+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2480: Apr 14 16:21:58.852: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Started clearing configuration
2010-04-14T16:21:59+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2481: Apr 14 16:21:59.400: %CSM_SLB-4-REDUNDANCY_WARN: Module 2 FT warning: Standby: Config Sync does not save running-config to startup-config
2010-04-14T16:22:00+02:00 srz31-5a.net.dsh.at/srz31-5a.net.dsh.at 2482: Apr 14 16:21:59.400: %CSM_SLB-6-REDUNDANCY_INFO: Module 2 FT info: Standby: Previous configuration are being deleted from supervisor
The last log message on standby device seems to be correct - there is no CSM configuration after the attempted config sync.
Our configuration includes about 3500 lines and it is really uncomfortable to keep in sync manually.
Maybe someone has the same problem?
kind regards,
ChristophHi Christoph,
I am running into the exact same issue. Upon further investigation I've discovered that this is a known bug, CSCtd09117. You can read more about it here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd09117 . Apparently this is fixed in ver 12.2(32.8.11)SX323 .
I haven't had a chance to upgrade yet, so I can't verify the fix, but if it works for you please let me know.
Regards,
Brandon -
Site to Site VPN Between Two ASA 5505's Up But Not Passing Traffic
hello,
i am setting up a site to site vpn between two asa 5505's. the tunnel is up but i cannot get it to pass traffic and i have run out of ideas at this point. i am on site as i am posting this question and only have about 4 hours left to figure this out, so any help asap is greatly appreciated. i'll post the configs below along with the output of sh crypto isakmp sa and sh ipsec sa.
FYI the asa's are different versions, one is 9.2 the other is 8.2
Note: 1.1.1.1 = public ip for Site A 2.2.2.2 = public ip for site B
Site A running config:
Result of the command: "sh run"
: Saved
ASA Version 8.2(2)
hostname csol-asa
enable password WI19w3dXj6ANP8c6 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.0 san_antonio_inside
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns domain-lookup inside
dns server-group DefaultDNS
name-server 24.93.41.125
name-server 24.93.41.126
object-group network NETWORK_OBJ_192.168.2.0_24
access-list inside_access_out extended permit ip any any
access-list outside_access_out extended permit ip any any
access-list outside_access_in extended permit icmp any any
access-list outside_access_in_1 extended permit icmp any interface outside
access-list outside_access_in_1 extended permit tcp any interface outside eq pop3
access-list outside_access_in_1 extended permit tcp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 8100
access-list outside_access_in_1 extended permit udp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 1025
access-list outside_access_in_1 extended permit tcp any interface outside eq 5020
access-list outside_access_in_1 extended permit tcp any interface outside eq 8080
access-list outside_access_in_1 extended permit tcp any interface outside eq www
access-list outside_access_in_1 extended permit ip san_antonio_inside 255.255.255.0 any
access-list outside_1_cryptomap extended permit ip 192.168.2.0 255.255.255.0 host san_antonio_inside
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
access-list inside_nat0_outbound extended permit ip 192.168.2.0 255.255.255.0 san_antonio_inside 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat-control
global (inside) 2 interface
global (outside) 101 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 101 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface pop3 192.168.2.249 pop3 netmask 255.255.255.255
static (inside,outside) tcp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 8100 192.168.2.161 8100 netmask 255.255.255.255
static (inside,outside) udp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
static (inside,outside) tcp interface 5020 192.168.2.8 5020 netmask 255.255.255.255
static (inside,outside) tcp interface 8080 192.168.2.251 8080 netmask 255.255.255.255
static (inside,inside) tcp interface www 192.168.2.8 www netmask 255.255.255.255
static (inside,outside) tcp interface 1025 192.168.2.161 1025 netmask 255.255.255.255
access-group inside_access_out out interface inside
access-group outside_access_in_1 in interface outside
route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.2.0 255.255.255.0 inside
http 2.2.2.2 255.255.255.255 outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map1 1 match address outside_1_cryptomap_1
crypto map outside_map1 1 set peer 2.2.2.2
crypto map outside_map1 1 set transform-set ESP-3DES-SHA
crypto map outside_map1 interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd address 192.168.2.30-192.168.2.155 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain corporatesolutionsfw.local interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
tunnel-group 2.2.2.2 type ipsec-l2l
tunnel-group 2.2.2.2 ipsec-attributes
pre-shared-key *****
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:021cf43a4211a99232849372c380dda2
: end
Site A sh crypto isakmp sa:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 2.2.2.2
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
Site A sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map1, seq num: 1, local addr: 1.1.1.1
access-list outside_1_cryptomap_1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (san_antonio_inside/255.255.255.0/0/0)
current_peer: 2.2.2.2
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 239, #pkts decrypt: 239, #pkts verify: 239
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 71.40.110.179
path mtu 1500, ipsec overhead 58, media mtu 1500
current outbound spi: C1074C40
current inbound spi : B21273A9
inbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914989/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0xFFFFFFFF 0xFFFFFFFF
outbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, }
slot: 0, conn_id: 1691648, crypto-map: outside_map1
sa timing: remaining key lifetime (kB/sec): (3914999/27694)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001
Site B running config:
Result of the command: "sh run"
: Saved
: Serial Number: JMX184640WY
: Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
ASA Version 9.2(2)4
hostname CSOLSAASA
enable password WI19w3dXj6ANP8c6 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 2.2.2.2 255.255.255.248
ftp mode passive
object network NETWORK_OBJ_192.168.1.0_24
subnet 192.168.1.0 255.255.255.0
object network mcallen_network
subnet 192.168.2.0 255.255.255.0
access-list outside_cryptomap extended permit ip object NETWORK_OBJ_192.168.1.0_24 object mcallen_network
access-list outside_access_in extended permit ip object mcallen_network 192.168.1.0 255.255.255.0
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-731-101.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,outside) source static NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 destination static mcallen_network mcallen_network no-proxy-arp route-lookup
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 2.2.2.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA-TRANS mode transport
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5-TRANS mode transport
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto map outside_map3 1 match address outside_cryptomap
crypto map outside_map3 1 set peer 1.1.1.1
crypto map outside_map3 1 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map3 interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcpd address 192.168.1.200-192.168.1.250 inside
dhcpd dns 24.93.41.125 24.93.41.126 interface inside
dhcpd domain CSOLSA.LOCAL interface inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
anyconnect-essentials
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
ikev1 pre-shared-key *****
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:4e058021a6e84ac7956dca0e5a143b8d
: end
Site B sh crypto isakmp sa:
Result of the command: "sh crypto isakmp sa"
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.1.1.1
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
Site B sh ipsec sa:
Result of the command: "sh ipsec sa"
interface: outside
Crypto map tag: outside_map3, seq num: 1, local addr: 71.40.110.179
access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer: 1.1.1.1
#pkts encaps: 286, #pkts encrypt: 286, #pkts digest: 286
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 286, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0, #TFC sent: 0
#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0, #recv errors: 0
local crypto endpt.: 2.2.2.2/0, remote crypto endpt.: 1.1.1.1/0
path mtu 1500, ipsec overhead 58(36), media mtu 1500
PMTU time remaining (sec): 0, DF policy: copy-df
ICMP error validation: disabled, TFC packets: disabled
current outbound spi: B21273A9
current inbound spi : C1074C40
inbound esp sas:
spi: 0xC1074C40 (3238480960)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373999/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000003
outbound esp sas:
spi: 0xB21273A9 (2987553705)
transform: esp-3des esp-sha-hmac no compression
in use settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 28672, crypto-map: outside_map3
sa timing: remaining key lifetime (kB/sec): (4373987/27456)
IV size: 8 bytes
replay detection support: Y
Anti replay bitmap:
0x00000000 0x00000001Hi Keegan,
Your tunnel is up and encrypting traffic one way, the other end is not able to encrypt the traffic.
I would suggest to do a 'clear xlate'? Sometimes if you setup the nonat configuration after you've attempted other configurations, you need to 'clear xlate' before the previous NAT configuration is cleared and the new one works.
HTH
"Please rate useful posts" -
Error 33172 occurred at Read & Write data transfer between two or more PF2010 controller
Hi,i need to do data transfer between two or more FP2010 controller.e.g. FP2010(A) & FP2010(B).
FP2010(A) need to transfer the measurement (from its I/O module) to FP2010(B) to do the data analysis.These data transfer should be synchronous btw two controller to prevent data lost.
From the vi used in the attachment,i encountered some problems at:
(1) Error 33172 occurred while publishing the data.Can i create and publish data under different item name?
(2) How to synchronies the read & write btw contorller?
All controller are communicating with each other directly without the need of a host computer to link them together
Is there any other method to do fast data transfer betwe
en controller?Hi YongNei,
You were succesful in omiting enough information to make it very difficult to answer!
Please post your example.
Please tell us what version of LV-RT you are using.
Please define what you concider "fast data transfer".
Have you concidered mapping the FP tags of FP2010(A) to FP2010(B) and vise versa?
WHat exactly has to be syncronized?
If you have something that is close to working, share that.
Well, that as far as I can go with the info you have provided. Depending on the details, what you are asking could be anything from trivial to impossible with the currently available technology. I just can't say.
It would probably be a good idea to start over with a fresh question (sorry) because not many people are going to know what a a "
PF2010" is and I can not guarentee that I will be able to get back to you personally until next week-end.
Trying to help you get an answer,
Ben
Ben Rayner
I am currently active on.. MainStream Preppers
Rayner's Ridge is under construction -
Problems getting static NAT to work between two internal lans
Hi, I'm trying the old problem of routing between two internal LANs. This on cli 8.6(1)2. I have three interfaces/LANs; outside is to the internet, inside is the rack in the datacentre and office is a dedicated ethernet link to our office. What I want to do is allow all (for now) traffic betrween office and inside. There's a million hits on this on the 'net but I can't get it to work. Packet trace shows packets accepted from office to inside but blocked from inside to office. Both static nats are set up identically. Here's the output of show nat after packet traces in both directions. It clearly shows that inside to office isn't hitting the nat policy. I enclose what I think are the relevant bits of my config. Full config less passwords + crypto attached.
Manual NAT Policies (Section 1)
1 (office) to (inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 3
2 (inside) to (office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookup
translate_hits = 0, untranslate_hits = 0
interface GigabitEthernet0/0
nameif inside-ld5
security-level 100
ip address 10.20.15.2 255.255.255.0
interface GigabitEthernet0/6
nameif office
security-level 100
ip address 10.20.11.9 255.255.255.0
object network inside-ld5
subnet 10.20.15.0 255.255.255.0
object network inside-office
subnet 10.20.11.0 255.255.255.0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
nat (office,inside) source static inside-office inside-office destination static inside-ld5 inside-ld5 no-proxy-arp route-lookup
nat (inside,office) source static inside-ld5 inside-ld5 destination static inside-office inside-office no-proxy-arp route-lookupHi Kevin,
because your interfaces inside and office are in same security level and you have enabled same-security-traffic permit inter-interface, traffic should simply flow between this interfaces. So i think you don't need NAT between this two subnets if there is not other reason to do so.
Then you just configure ACL which will permit traffic you want between this LANs. In this case both netwroks are directly conneted so routing should work(instead of NAT).
Best Regards,
Jan -
Sync config between active and standby CSM
Is there a way to sync config between active and standby CSMs? Just as one that in CSS.
How about two SSL Service module in two different 6500 chassis?
Thanks.HI,
there is right now no command to commit redundancy between two CSM-Modules. Maybe in the future there will be one. Okay in regards of sync the only way is to check for redundancy is the show mod csm x ft command. But be aware that some slight differences like a real not being in service are sometimes not recognized.
In regards of the SSLModule there is no way as far as I know to sync them. This won't be present in the future in my opinion as there are certificates which require a password or something like that and one won't be able to do redundncy without those passwords. So In my opinion no way to sync two SSL-Module because of security issues.
Kind regards,
Joerg -
Stock transfer between two St locs of same warehouse
Hi All,
I am new to WM and trying to config/simulate st loc to st loc transfer 311
one step between two st locs that belong to same warehouse number.
What should be the config and under
LE->WM->Interface->IM->movement types -> assign WM Movement Type
References to IM Movement Types. In my system for 311 movement type entry with
only the quantity check box checked and no other spl stock I see that there are
three columns mentioned below
For mvt types on WM side first one “Reference movement type for WM from
material movements” = 311
Second one “Reference movement type for transfer in warehouse mgmt.” =312
Third one “Reference movement type for posting change in whse mgmt.”=309
The reason I am confused is when I do a MB1B 311 from one st loc to another
st loc from unrestricted to unrestricted on IM side it is triggering 309 on WM
side where as I am expecting 311 to trigger with TR to pick from issuing St loc
and another TR/TO with (312 or 311 I am not sure) to putaway the stock in to
the receiving st loc. Can someone help in explaining how should the stand SAP
IM/WM interface work and what should I be doing to make it work that way
Thank you in advance
JHi J,
To explain you in simple way,
When Sloc is Wm managed and stock is transferred at IM level using 1 step within plant, stock is directly transferred from one sloc to other sloc(no TR/To is created to pick and putaway unless configured) Due to this difference is created between IM & WM level, Hence mvt type 309 is triggered for PCN . This Mvt 309 is picked based on std config at
LE->WM->Interface->IM->movement types -> assign WM Movement Type
References to IM Movement Types
If you want to create TR immediately then put x in 9 column against mvt 309 and w/h combination.
LE->WM->Interface->IM->movement types -> LE-WM Interface to Inventory Management -
N bridge between two 1252an in bridge mode at 5GHz
I've read in some of the cisco documentation on the 1250 series that root bridge or non root bridge modes are "not tested". They don't say "not supported". I have a client that could use a high bandwidth link between two buildings that are 100' or so apart. The fiber link has already been busted twice. Heavy heavy trucks kill the ground concrete. I have configed a 54Mbps solution with two 1242G's and some cisco yagi's. But, if an N bridge is possible with two 1252AG's, and go faster than the 54Mbps..I'd go with that setup.
Cisco documentation says the bridge modes show up in the 1252 webgui and are selectable. They just end it with "not tested".
Any thoughts?It became supported in recent versions of the 1250 IOS.
|With this feature, the Cisco Aironet 1140 and 1250 Series can be configured for both access point and bridge functions. Bridging support on 802.11n access points offers added performance, reliability and throughput for basic wireless LAN coverage, wireless LAN coverage with wireless backhaul, and more traditional bridging applications.|
http://www.cisco.com/en/US/partner/prod/collateral/wireless/ps5678/ps6087/product_bulletin_c25-560118_ps6973_Products_Bulletin.html
Nicolas
===
Don't forget to rate answers that you find useful -
Better estimation of phase difference between two signals with variable frequency!
Hello LabView Gurus,
Being a power engineer and having just a little knowledge of signal processing and labview, I have been pulling my hair out for the last couple of days to get a better estimation of phase difference between two signals.
We have two analog voltage signals; 1. sine wave (50Hz ± 1Hz) and 2. a square wave with exactly half of sine wave frequency at any time.
At the starting point of operation (and simulation/acquisition) both signals will have no phase difference. However, the square wave's frequency changes unpredictably for a just a few millisecond but then it gets synchronized with sine wave's frequency again. This means that the square wave will be phased out from its original position. The task of the labview is to find the phase difference between the two signals continuously.
My approach to determine the phase difference is to measure the time when sine wave crosses zero amplitude and the time when the very next square wave changes amplitude from zero volts to +ve voltage (I have a 0.5volts threshold just to avoid any dramas from small line noise). The difference between these times is then divided by the time period and multiplied by 360 to get this phase difference in angles.
As this part is just a small block of a big project, I can only allow 5000Hz sampling rate each for both signals. I read 500 samples (which means I read data from 5 cycles of sine wave and 2.5 cycles of square wave).
Now the problem is, as long as the frequency of sine wave stays constant at exactly 50Hz, I get a good estimation of the phase difference but when the frequency changes even a little (and it will happen in the real scenario i.e 50Hz ± 1Hz and the square wave's frequency is dependent of sine wave's frequency), the estimation error increases.
I have attached my labview program. From front panel, you can set the phase of square wave (between -180 and 0) and you should see the labview's calculated phase in the indicator box named 'Phase'. Then you can press 'Real Frequency' switch that would cause the frequency to change like it would in real operation.
You can observe that the estimation error increases after you push the button.
All I need to do is to reduce this estimation error and make it as close to the actual phase difference as possible. Any help would be greatly appreciated.
I am using LabView 2009 for this task.
The application is for electric machines and the stability/performance of machines under different faults.
Thank you for reading this far!
Regards,
Awais
Attachments:
v603.png 320 KB
v603.vi 186 KBJeff Bohrer wrote:
Basic math gives me a bit of pause on this approach. You are sampling at 50 times the frequency of interest so you get 50 samples per cycle. your phase resolution is 1/50th cycle or 7.2 degrees +/- noise. You will need to samlpe faster to reduce phase resolution or average multiple readings (at a time cost that is signifigant)
Jeff- (Hardly Working)
I am sampling at 100 times the sine wave's frequency and 200 times the square wave's frequency. Increasing the sampling rate completely solves my problem. But since I am acquiring several other inputs, I cannot afford a sampling rate higher than 5kHz.
F. Schubert wrote:
I'm not a signal processing expert, but here my basic understanding.
If you simulate sampling with 5kHz and a frequency of 50 Hz (and both are 'sync' by design), you always get an exact 5 periods. Any variation of your signals frequency gives you a propability to get 4 or 6 'trigger' events. That's an up or down of 20%!
The one measure to reduce such problems is using 'window functions'. They don't fit your current approach (counting instead of a DSP algorithm), so this needs to be reworked as well.
My approach would be to use the concept of a Locki-In amplifier. You need to phaseshift your ref-signal by 90°. Then multiply your measurement signal with the ref signal and the phase shifted ref signal. The obtained values for x/y coordinates of a complex number. Calculate the theta of the complex number (with the LV prim). Feed this in a low pass filter.
The trick on this is, that the square wave has harmonics in it, in this you are interested in the second harmonic which is the sine wave.
To get rid of the effect that the sync between sampling rate and ref signal frequency gives an error, you then can use the window I mentioned above (place it before the lock-in).
For a design that really plays well, use a producer-consumer design pattern to get the calculations done in parallel with the DAQ.
I suggest you to check on wikipedia for some of the keywords I mentioned. Go also for the external links which lead to great tutorials and AppNotes on the signal processing basics.
Sorry, it's not a simple solution I offer and we will have quite some conversation on this forum if you follow this path. Maybe someone else knows a simpler way.
Felix
www.aescusoft.de
My latest community nugget on producer/consumer design
My current blog: A journey through uml
An interesting view. the sine wave can indeed be looked as a second harmonic of the square wave. I will implement your idea and get back to you as soon as I get some results. But since I have very limited knowledge of signal processing, it might take me a while to get my hear around the solution you mentioned. -
Hi,
we are doing the inter company process between two company codes.
i have one reference document,
1) how can we find the supplying plant sales area and receving plant sales area.
2)In spro settings "Assign sales organization - distribution channel u2013 plant" which one we need to assign here(supplying plant sales area or receving plant sales area).
3)In customer master record sales area tab which one we need to assign as a Delivering plant(supplying plant or receving plant)
please tell me anyone.
thanks,
panduHi,
1. Are you referring to the config area of transaction area?
If config, then you can find the configured sales area of the supplying & receiving plant in IMG --> Materials Management --> Purchasing --> Purchase Order --> Set Up Stock Transport Order --> Define Shipping Data for Plants (here you assign the relevant sales area to the relevant Supplying Plant and the created Customer number (in XD01) to the Receiving Plant. Thise customer number is used in SD shipping processing to identify the ship-to party if provision has been made in Customizing for a stock transfer to be carried out with an SD delivery). This sales area is to subsequently trigger the shipping point (based on shipping point determination) for delivery.
You also assign the supplying plant to a vendor. To do this, from the SAP menu choose Logistics --> Materials Management --> Purchasing --> Master Data --> Vendor --> Purchasing --> Create; on the screen for purchasing data, choose Extras, and you assign the supplying plant here.
2. In the SPRO, you assign the Supplying Plant to the relevant sales organization and the distribution channel in IMG --> Enterprise Structure --> Assignment --> Sales and Distribution --> Assign Sales Organizationu2013Distribution Channel-Plant.
3. This is not required, as this delivery plant in the "Sales" tab is relevant when you create a Sales Order to automatically populate the delivery plant for the particular customer. For cross-company STO, the customer number is used to identify the ship-to-party to carry out the shipping processing. You would instead need to ensure that the shipping condition etc. in the customer are maintained properly for the shipping point determination.
Hope the above helps.
Thanks.
Maybe you are looking for
-
Internet Explorer 8 with Adobe Reader 11 in one package - embedded PDF problem
Hello, I am trying to package Internet Explorer 8 together with Adobe Reader 11 in ThinApp 5 for Windows 7. I am capturing on clean Windows XP with IE6. Of course, I am using "IEShims.dll" for IE8 in order to make it work in ThinApp. From the first l
-
I have a MacBook Pro and I was watching TV through an HDMI cable when the picture went away but I still heard sound. At the desk top I see the backgroud selected but non of my icons are on the TV screen. Please help.
-
How do you know what generation ipod you have?
-
Issue with Weblogic services in Linux OBIEE 11G
Hello All, I have a OBI 11G set up on a linux OS.I am facing a issue with weblogic service. Whenever I am trying to start the Admin server from command line using its .sh , it is starting successfully. But whenever I am closing that Linux session or
-
Hi. how could I display message in status bar but without status. I mean i want to use warmning but without termination and without need to press for example 'Enter' to execute another comment. I need something which works like message "s" - status b